[PATCH 0/5] Update iptables runtime recommends and add default init scripts and configs

[PATCH 0/5] Update iptables runtime recommends and add default init scripts and configs

[Kai Kang]

Update iptables runtime recommends and add default init scripts and configs from redhat. That gives users rudimental configures and users only need to update their own iptables rules.

The following changes since commit 7c1a975a1c2fd884aa9f6f4736656d854a6c5edb:

  bitbake: toaster: Fix spacing and layout in no image files notification (2014-06-20 14:03:58 +0100)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib kangkai/iptables
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=kangkai/iptables

Kai Kang (5):
  iptables: update RRECOMMENDS
  iptables: add init script and configure file
  iptables: add default rules
  iptables: update rules for ip6tables
  iptables: update init script and bb file

 .../iptables/iptables/ip6tables.rules              |  31 ++
 .../iptables/iptables/iptables-config              |  54 +++
 .../iptables/iptables/iptables.init                | 445 +++++++++++++++++++++
 .../iptables/iptables/iptables.rules               |  30 ++
 meta/recipes-extended/iptables/iptables_1.4.21.bb  |  27 +-
 5 files changed, 586 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-extended/iptables/iptables/ip6tables.rules
 create mode 100644 meta/recipes-extended/iptables/iptables/iptables-config
 create mode 100755 meta/recipes-extended/iptables/iptables/iptables.init
 create mode 100644 meta/recipes-extended/iptables/iptables/iptables.rules

-- 
1.9.1

[PATCH 1/5] iptables: update RRECOMMENDS

[Kai Kang]

Update RRECOMMENDS for iptables that some iptables basic rules need
these kernel modules.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 meta/recipes-extended/iptables/iptables_1.4.21.bb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-extended/iptables/iptables_1.4.21.bb b/meta/recipes-extended/iptables/iptables_1.4.21.bb
index dc17d57..ba4e8e4 100644
--- a/meta/recipes-extended/iptables/iptables_1.4.21.bb
+++ b/meta/recipes-extended/iptables/iptables_1.4.21.bb
@@ -15,7 +15,13 @@ RRECOMMENDS_${PN} = "kernel-module-x-tables \
                      kernel-module-nf-conntrack \
                      kernel-module-nf-conntrack-ipv4 \
                      kernel-module-nf-nat \
-                     kernel-module-ipt-masquerade"
+                     kernel-module-ipt-masquerade \
+                     kernel-module-xt-tcpudp \
+                     kernel-module-xt-conntrack \
+                     kernel-module-ipt-reject \
+                     kernel-module-ip6-tables \
+                     kernel-module-ip6table-filter \
+                    "
 FILES_${PN} =+ "${libdir}/xtables/ ${datadir}/xtables"
 FILES_${PN}-dbg =+ "${libdir}/xtables/.debug"
 
-- 
1.9.1

[PATCH 2/5] iptables: add init script and configure file

[Kai Kang]

Add init script and related configure file for iptables from RedHat 6
package iptables version 1.4.7.

Remove trailing white spaces.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 .../iptables/iptables/iptables-config              |  54 +++
 .../iptables/iptables/iptables.init                | 445 +++++++++++++++++++++
 2 files changed, 499 insertions(+)
 create mode 100644 meta/recipes-extended/iptables/iptables/iptables-config
 create mode 100755 meta/recipes-extended/iptables/iptables/iptables.init

diff --git a/meta/recipes-extended/iptables/iptables/iptables-config b/meta/recipes-extended/iptables/iptables/iptables-config
new file mode 100644
index 0000000..d9f6c34
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/iptables-config
@@ -0,0 +1,54 @@
+# Load additional iptables modules (nat helpers)
+#   Default: -none-
+# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
+# are loaded after the firewall rules are applied. Options for the helpers are
+# stored in /etc/modprobe.conf.
+IPTABLES_MODULES=""
+
+# Unload modules on restart and stop
+#   Value: yes|no,  default: yes
+# This option has to be 'yes' to get to a sane state for a firewall
+# restart or stop. Only set to 'no' if there are problems unloading netfilter
+# modules.
+IPTABLES_MODULES_UNLOAD="yes"
+
+# Save current firewall rules on stop.
+#   Value: yes|no,  default: no
+# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
+# (e.g. on system shutdown).
+IPTABLES_SAVE_ON_STOP="no"
+
+# Save current firewall rules on restart.
+#   Value: yes|no,  default: no
+# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
+# restarted.
+IPTABLES_SAVE_ON_RESTART="no"
+
+# Save (and restore) rule and chain counter.
+#   Value: yes|no,  default: no
+# Save counters for rules and chains to /etc/sysconfig/iptables if
+# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
+# SAVE_ON_RESTART is enabled.
+IPTABLES_SAVE_COUNTER="no"
+
+# Numeric status output
+#   Value: yes|no,  default: yes
+# Print IP addresses and port numbers in numeric format in the status output.
+IPTABLES_STATUS_NUMERIC="yes"
+
+# Verbose status output
+#   Value: yes|no,  default: yes
+# Print info about the number of packets and bytes plus the "input-" and
+# "outputdevice" in the status output.
+IPTABLES_STATUS_VERBOSE="no"
+
+# Status output with numbered lines
+#   Value: yes|no,  default: yes
+# Print a counter/number for every rule in the status output.
+IPTABLES_STATUS_LINENUMBERS="yes"
+
+# Reload sysctl settings on start and restart
+#   Default: -none-
+# Space separated list of sysctl items which are to be reloaded on start.
+# List items will be matched by fgrep.
+#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
diff --git a/meta/recipes-extended/iptables/iptables/iptables.init b/meta/recipes-extended/iptables/iptables/iptables.init
new file mode 100755
index 0000000..01057dd
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/iptables.init
@@ -0,0 +1,445 @@
+#!/bin/sh
+#
+# iptables	Start iptables firewall
+#
+# chkconfig: 2345 08 92
+# description:	Starts, stops and saves iptables firewall
+#
+# config: /etc/sysconfig/iptables
+# config: /etc/sysconfig/iptables-config
+#
+### BEGIN INIT INFO
+# Provides: iptables
+# Required-Start:
+# Required-Stop:
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: start and stop iptables firewall
+# Description: Start, stop and save iptables firewall
+### END INIT INFO
+
+# Source function library.
+. /etc/init.d/functions
+
+IPTABLES=iptables
+IPTABLES_DATA=/etc/sysconfig/$IPTABLES
+IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
+IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
+IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
+[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
+PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
+VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
+
+# only usable for root
+[ $EUID = 0 ] || exit 4
+
+if [ ! -x /sbin/$IPTABLES ]; then
+    echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
+    exit 5
+fi
+
+# Old or new modutils
+/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
+    && NEW_MODUTILS=1 \
+    || NEW_MODUTILS=0
+
+# Default firewall configuration:
+IPTABLES_MODULES=""
+IPTABLES_MODULES_UNLOAD="yes"
+IPTABLES_SAVE_ON_STOP="no"
+IPTABLES_SAVE_ON_RESTART="no"
+IPTABLES_SAVE_COUNTER="no"
+IPTABLES_STATUS_NUMERIC="yes"
+IPTABLES_STATUS_VERBOSE="no"
+IPTABLES_STATUS_LINENUMBERS="yes"
+IPTABLES_SYSCTL_LOAD_LIST=""
+
+# Load firewall configuration.
+[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
+
+# Netfilter modules
+NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)
+NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
+
+# Get active tables
+NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
+
+
+rmmod_r() {
+    # Unload module with all referring modules.
+    # At first all referring modules will be unloaded, then the module itself.
+    local mod=$1
+    local ret=0
+    local ref=
+
+    # Get referring modules.
+    # New modutils have another output format.
+    [ $NEW_MODUTILS = 1 ] \
+	&& ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \
+	|| ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
+
+    # recursive call for all referring modules
+    for i in $ref; do
+	rmmod_r $i
+	let ret+=$?;
+    done
+
+    # Unload module.
+    # The extra test is for 2.6: The module might have autocleaned,
+    # after all referring modules are unloaded.
+    if grep -q "^${mod}" /proc/modules ; then
+	modprobe -r $mod > /dev/null 2>&1
+	res=$?
+	[ $res -eq 0 ] || echo -n " $mod"
+	let ret+=$res;
+    fi
+
+    return $ret
+}
+
+flush_n_delete() {
+    # Flush firewall rules and delete chains.
+    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
+
+    # Check if firewall is configured (has tables)
+    [ -z "$NF_TABLES" ] && return 1
+
+    echo -n $"${IPTABLES}: Flushing firewall rules: "
+    ret=0
+    # For all tables
+    for i in $NF_TABLES; do
+        # Flush firewall rules.
+	$IPTABLES -t $i -F;
+	let ret+=$?;
+
+        # Delete firewall chains.
+	$IPTABLES -t $i -X;
+	let ret+=$?;
+
+	# Set counter to zero.
+	$IPTABLES -t $i -Z;
+	let ret+=$?;
+    done
+
+    [ $ret -eq 0 ] && success || failure
+    echo
+    return $ret
+}
+
+set_policy() {
+    # Set policy for configured tables.
+    policy=$1
+
+    # Check if iptable module is loaded
+    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
+
+    # Check if firewall is configured (has tables)
+    tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
+    [ -z "$tables" ] && return 1
+
+    echo -n $"${IPTABLES}: Setting chains to policy $policy: "
+    ret=0
+    for i in $tables; do
+	echo -n "$i "
+	case "$i" in
+	    raw)
+		$IPTABLES -t raw -P PREROUTING $policy \
+		    && $IPTABLES -t raw -P OUTPUT $policy \
+		    || let ret+=1
+		;;
+	    filter)
+                $IPTABLES -t filter -P INPUT $policy \
+		    && $IPTABLES -t filter -P OUTPUT $policy \
+		    && $IPTABLES -t filter -P FORWARD $policy \
+		    || let ret+=1
+		;;
+	    nat)
+		$IPTABLES -t nat -P PREROUTING $policy \
+		    && $IPTABLES -t nat -P POSTROUTING $policy \
+		    && $IPTABLES -t nat -P OUTPUT $policy \
+		    || let ret+=1
+		;;
+	    mangle)
+	        $IPTABLES -t mangle -P PREROUTING $policy \
+		    && $IPTABLES -t mangle -P POSTROUTING $policy \
+		    && $IPTABLES -t mangle -P INPUT $policy \
+		    && $IPTABLES -t mangle -P OUTPUT $policy \
+		    && $IPTABLES -t mangle -P FORWARD $policy \
+		    || let ret+=1
+		;;
+	    *)
+	        let ret+=1
+		;;
+        esac
+    done
+
+    [ $ret -eq 0 ] && success || failure
+    echo
+    return $ret
+}
+
+load_sysctl() {
+    # load matched sysctl values
+    if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
+        echo -n $"Loading sysctl settings: "
+        ret=0
+        for item in $IPTABLES_SYSCTL_LOAD_LIST; do
+            fgrep $item /etc/sysctl.conf | sysctl -p - >/dev/null
+            let ret+=$?;
+        done
+        [ $ret -eq 0 ] && success || failure
+        echo
+    fi
+    return $ret
+}
+
+start() {
+    # Do not start if there is no config file.
+    [ ! -f "$IPTABLES_DATA" ] && return 6
+
+    # check if ipv6 module load is deactivated
+    if [ "${_IPV}" = "ipv6" ] \
+	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
+	echo $"${IPTABLES}: ${_IPV} is disabled."
+	return 150
+    fi
+
+    echo -n $"${IPTABLES}: Applying firewall rules: "
+
+    OPT=
+    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+
+    $IPTABLES-restore $OPT $IPTABLES_DATA
+    if [ $? -eq 0 ]; then
+	success; echo
+    else
+	failure; echo;
+	if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
+	    echo -n $"${IPTABLES}: Applying firewall fallback rules: "
+	    $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
+	    if [ $? -eq 0 ]; then
+		success; echo
+	    else
+		failure; echo; return 1
+	    fi
+	else
+	    return 1
+	fi
+    fi
+
+    # Load additional modules (helpers)
+    if [ -n "$IPTABLES_MODULES" ]; then
+	echo -n $"${IPTABLES}: Loading additional modules: "
+	ret=0
+	for mod in $IPTABLES_MODULES; do
+	    echo -n "$mod "
+	    modprobe $mod > /dev/null 2>&1
+	    let ret+=$?;
+	done
+	[ $ret -eq 0 ] && success || failure
+	echo
+    fi
+
+    # Load sysctl settings
+    load_sysctl
+
+    touch $VAR_SUBSYS_IPTABLES
+    return $ret
+}
+
+stop() {
+    # Do not stop if iptables module is not loaded.
+    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
+
+    # Set default chain policy to ACCEPT, in order to not break shutdown
+    # on systems where the default policy is DROP and root device is
+    # network-based (i.e.: iSCSI, NFS)
+    set_policy ACCEPT
+    # And then, flush the rules and delete chains
+    flush_n_delete
+
+    if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
+	echo -n $"${IPTABLES}: Unloading modules: "
+	ret=0
+	for mod in ${NF_MODULES[*]}; do
+	    rmmod_r $mod
+	    let ret+=$?;
+	done
+	# try to unload remaining netfilter modules used by ipv4 and ipv6
+	# netfilter
+	for mod in ${NF_MODULES_COMMON[*]}; do
+	    rmmod_r $mod >/dev/null
+	done
+	[ $ret -eq 0 ] && success || failure
+	echo
+    fi
+
+    rm -f $VAR_SUBSYS_IPTABLES
+    return $ret
+}
+
+save() {
+    # Check if iptable module is loaded
+    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
+
+    # Check if firewall is configured (has tables)
+    [ -z "$NF_TABLES" ] && return 6
+
+    echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
+
+    OPT=
+    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+
+    ret=0
+    TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
+	&& chmod 600 "$TMP_FILE" \
+	&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
+	&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
+	|| ret=1
+    if [ $ret -eq 0 ]; then
+	if [ -e $IPTABLES_DATA ]; then
+	    cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
+		&& chmod 600 $IPTABLES_DATA.save \
+		&& restorecon $IPTABLES_DATA.save \
+		|| ret=1
+	fi
+	if [ $ret -eq 0 ]; then
+	    mv -f $TMP_FILE $IPTABLES_DATA \
+		&& chmod 600 $IPTABLES_DATA \
+		&& restorecon $IPTABLES_DATA \
+	        || ret=1
+	fi
+    fi
+    rm -f $TMP_FILE
+    [ $ret -eq 0 ] && success || failure
+    echo
+    return $ret
+}
+
+status() {
+    if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
+	echo $"${IPTABLES}: Firewall is not running."
+	return 3
+    fi
+
+    # Do not print status if lockfile is missing and iptables modules are not
+    # loaded.
+    # Check if iptable modules are loaded
+    if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
+	echo $"${IPTABLES}: Firewall modules are not loaded."
+	return 3
+    fi
+
+    # Check if firewall is configured (has tables)
+    if [ -z "$NF_TABLES" ]; then
+	echo $"${IPTABLES}: Firewall is not configured. "
+	return 3
+    fi
+
+    NUM=
+    [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
+    VERBOSE=
+    [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
+    COUNT=
+    [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
+
+    for table in $NF_TABLES; do
+	echo $"Table: $table"
+	$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
+    done
+
+    return 0
+}
+
+reload() {
+    # Do not reload if there is no config file.
+    [ ! -f "$IPTABLES_DATA" ] && return 6
+
+    # check if ipv6 module load is deactivated
+    if [ "${_IPV}" = "ipv6" ] \
+	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
+	echo $"${IPTABLES}: ${_IPV} is disabled."
+	return 150
+    fi
+
+    echo -n $"${IPTABLES}: Trying to reload firewall rules: "
+
+    OPT=
+    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+
+    $IPTABLES-restore $OPT $IPTABLES_DATA
+    if [ $? -eq 0 ]; then
+	success; echo
+    else
+	failure; echo; echo "Firewall rules are not changed."; return 1
+    fi
+
+    # Load additional modules (helpers)
+    if [ -n "$IPTABLES_MODULES" ]; then
+	echo -n $"${IPTABLES}: Loading additional modules: "
+	ret=0
+	for mod in $IPTABLES_MODULES; do
+	    echo -n "$mod "
+	    modprobe $mod > /dev/null 2>&1
+	    let ret+=$?;
+	done
+	[ $ret -eq 0 ] && success || failure
+	echo
+    fi
+
+    # Load sysctl settings
+    load_sysctl
+
+    return $ret
+}
+
+restart() {
+    [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
+    stop
+    start
+}
+
+
+case "$1" in
+    start)
+	[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
+	start
+	RETVAL=$?
+	;;
+    stop)
+	[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
+	stop
+	RETVAL=$?
+	;;
+    restart|force-reload)
+	restart
+	RETVAL=$?
+	;;
+    reload)
+	[ -e "$VAR_SUBSYS_IPTABLES" ] && reload
+	RETVAL=$?
+	;;
+    condrestart|try-restart)
+	[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
+	restart
+	RETVAL=$?
+	;;
+    status)
+	status
+	RETVAL=$?
+	;;
+    panic)
+	set_policy DROP
+	RETVAL=$?
+        ;;
+    save)
+	save
+	RETVAL=$?
+	;;
+    *)
+	echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
+	RETVAL=2
+	;;
+esac
+
+exit $RETVAL
-- 
1.9.1

[PATCH 3/5] iptables: add default rules

[Kai Kang]

Add default rule files for iptable/ip6tables from RHEL 5.8.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 .../iptables/iptables/ip6tables.rules              | 31 ++++++++++++++++++++++
 .../iptables/iptables/iptables.rules               | 30 +++++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 meta/recipes-extended/iptables/iptables/ip6tables.rules
 create mode 100644 meta/recipes-extended/iptables/iptables/iptables.rules

diff --git a/meta/recipes-extended/iptables/iptables/ip6tables.rules b/meta/recipes-extended/iptables/iptables/ip6tables.rules
new file mode 100644
index 0000000..bdd52ed
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/ip6tables.rules
@@ -0,0 +1,31 @@
+# Firewall configuration written by system-config-securitylevel
+# Manual customization of this file is not recommended.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:RH-Firewall-1-INPUT - [0:0]
+-A INPUT -j RH-Firewall-1-INPUT
+-A FORWARD -j RH-Firewall-1-INPUT
+-A RH-Firewall-1-INPUT -i lo -j ACCEPT
+-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
+-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
+-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
+-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
+-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
+-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
+-A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT
+-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 23 -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 21 -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT
+-A RH-Firewall-1-INPUT -m udp -p udp --dport 137 -j ACCEPT
+-A RH-Firewall-1-INPUT -m udp -p udp --dport 138 -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 139 -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 445 -j ACCEPT
+-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2049 -j ACCEPT
+-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT
diff --git a/meta/recipes-extended/iptables/iptables/iptables.rules b/meta/recipes-extended/iptables/iptables/iptables.rules
new file mode 100644
index 0000000..3d92ee0
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/iptables.rules
@@ -0,0 +1,30 @@
+# Firewall configuration written by system-config-securitylevel
+# Manual customization of this file is not recommended.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:RH-Firewall-1-INPUT - [0:0]
+-A INPUT -j RH-Firewall-1-INPUT
+-A FORWARD -j RH-Firewall-1-INPUT
+-A RH-Firewall-1-INPUT -i lo -j ACCEPT
+-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
+-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
+-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
+-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
+-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
+-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
+-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
+COMMIT
-- 
1.9.1

[PATCH 4/5] iptables: update rules for ip6tables

[Kai Kang]

ip6tables doesn't recognize target REJECT, then use DROP instead.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 meta/recipes-extended/iptables/iptables/ip6tables.rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-extended/iptables/iptables/ip6tables.rules b/meta/recipes-extended/iptables/iptables/ip6tables.rules
index bdd52ed..1045e41 100644
--- a/meta/recipes-extended/iptables/iptables/ip6tables.rules
+++ b/meta/recipes-extended/iptables/iptables/ip6tables.rules
@@ -27,5 +27,5 @@
 -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 139 -j ACCEPT
 -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 445 -j ACCEPT
 -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2049 -j ACCEPT
--A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A RH-Firewall-1-INPUT -j DROP
 COMMIT
-- 
1.9.1

[PATCH 5/5] iptables: update init script and bb file

[Kai Kang]

Update path of command iptables in init script that we put it in
/usr/sbin rather than /sbin. Then update bb file to install init script,
configure and rules files.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 meta/recipes-extended/iptables/iptables/iptables.init |  4 ++--
 meta/recipes-extended/iptables/iptables_1.4.21.bb     | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-extended/iptables/iptables/iptables.init b/meta/recipes-extended/iptables/iptables/iptables.init
index 01057dd..3f9ce23 100755
--- a/meta/recipes-extended/iptables/iptables/iptables.init
+++ b/meta/recipes-extended/iptables/iptables/iptables.init
@@ -33,8 +33,8 @@ VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
 # only usable for root
 [ $EUID = 0 ] || exit 4
 
-if [ ! -x /sbin/$IPTABLES ]; then
-    echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
+if [ ! -x /usr/sbin/$IPTABLES ]; then
+    echo -n $"${IPTABLES}: /usr/sbin/$IPTABLES does not exist."; warning; echo
     exit 5
 fi
 
diff --git a/meta/recipes-extended/iptables/iptables_1.4.21.bb b/meta/recipes-extended/iptables/iptables_1.4.21.bb
index ba4e8e4..a6fe55f 100644
--- a/meta/recipes-extended/iptables/iptables_1.4.21.bb
+++ b/meta/recipes-extended/iptables/iptables_1.4.21.bb
@@ -28,6 +28,10 @@ FILES_${PN}-dbg =+ "${libdir}/xtables/.debug"
 SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
            file://types.h-add-defines-that-are-required-for-if_packet.patch \
            file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
+           file://iptables.init \
+           file://iptables-config \
+           file://iptables.rules \
+           file://ip6tables.rules \
           "
 
 SRC_URI[md5sum] = "536d048c8e8eeebcd9757d0863ebb0c0"
@@ -50,3 +54,18 @@ do_configure_prepend() {
 	# Keep ax_check_linker_flags.m4 which belongs to autoconf-archive.
 	rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
 }
+
+do_install_append() {
+	install -d -m 755 ${D}${sysconfdir}/init.d
+	install -m 755 ${WORKDIR}/iptables.init ${D}${sysconfdir}/init.d/iptables
+	install -m 755 ${WORKDIR}/iptables.init ${D}${sysconfdir}/init.d/ip6tables
+	sed -i -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' ${D}${sysconfdir}/init.d/ip6tables
+
+	install -d -m 755 ${D}${sysconfdir}/sysconfig
+	install -m 755 ${WORKDIR}/iptables-config ${D}${sysconfdir}/sysconfig
+	install -m 755 ${WORKDIR}/iptables-config ${D}${sysconfdir}/sysconfig/ip6tables-config
+	sed -i -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' ${D}${sysconfdir}/sysconfig/ip6tables-config
+
+	install -m 755 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/sysconfig/iptables
+	install -m 755 ${WORKDIR}/ip6tables.rules ${D}${sysconfdir}/sysconfig/ip6tables
+}
-- 
1.9.1

Re: [PATCH 3/5] iptables: add default rules

[Burton, Ross]

On 23 June 2014 03:32, Kai Kang <kai.kang@windriver.com> wrote:
> +# Firewall configuration written by system-config-securitylevel
> +# Manual customization of this file is not recommended.

That's just going to be confusing to anyone who doesn't know that this
file was copied directly from RedHat.

Also, is it sensible to ship a static firewall configuration?  The one
thing we're not is one-size-fits-all.

Ross

Re: [PATCH 0/5] Update iptables runtime recommends and add default init scripts and configs

[Burton, Ross]

> Kai Kang (5):
>   iptables: update RRECOMMENDS
>   iptables: add init script and configure file
>   iptables: update init script and bb file

Squash these so there's a single commit that adds and integrates a
working init script.

>   iptables: add default rules
>   iptables: update rules for ip6tables

Ditto, squash these into a single commit.

Ross

Re: [PATCH 5/5] iptables: update init script and bb file

[Anders Darander]

* Kai Kang <kai.kang@windriver.com> [140623 04:34]:
> Update path of command iptables in init script that we put it in
> /usr/sbin rather than /sbin. Then update bb file to install init script,
> configure and rules files.

These new files aren't that big, but could you anyway package at least
the rules files into a separate package? Using an RRECOMMENDS would be
fine, as I can easily add a BAD_RECOMMENDATION for that package.

It might be that I don't need/want both of iptables and ip6tables
installed; or even that I don't want either of those installed by
default.

Cheers,
Anders

> +do_install_append() {
> +	install -d -m 755 ${D}${sysconfdir}/init.d
> +	install -m 755 ${WORKDIR}/iptables.init ${D}${sysconfdir}/init.d/iptables
> +	install -m 755 ${WORKDIR}/iptables.init ${D}${sysconfdir}/init.d/ip6tables
> +	sed -i -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' ${D}${sysconfdir}/init.d/ip6tables
> +
> +	install -d -m 755 ${D}${sysconfdir}/sysconfig
> +	install -m 755 ${WORKDIR}/iptables-config ${D}${sysconfdir}/sysconfig
> +	install -m 755 ${WORKDIR}/iptables-config ${D}${sysconfdir}/sysconfig/ip6tables-config
> +	sed -i -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' ${D}${sysconfdir}/sysconfig/ip6tables-config
> +
> +	install -m 755 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/sysconfig/iptables
> +	install -m 755 ${WORKDIR}/ip6tables.rules ${D}${sysconfdir}/sysconfig/ip6tables
> +}
-- 
Anders Darander
ChargeStorm AB / eStorm AB

Re: [PATCH 3/5] iptables: add default rules

[Kang Kai]

On 2014年06月23日 18:42, Burton, Ross wrote:
> On 23 June 2014 03:32, Kai Kang <kai.kang@windriver.com> wrote:
>> +# Firewall configuration written by system-config-securitylevel
>> +# Manual customization of this file is not recommended.
> That's just going to be confusing to anyone who doesn't know that this
> file was copied directly from RedHat.

OK, I'll remove them.

>
> Also, is it sensible to ship a static firewall configuration?  The one
> thing we're not is one-size-fits-all.

I just want users could start iptables without any professional work. 
And these static firewall rules are common for desktop/server.
Or does the empty rule is better? Anyone who wants to use iptables 
writes his/her own rules. But it is a little difficult for the people 
who not familiar with iptables.

Any suggestion?

Thanks,
Kai

>
> Ross
>
>


-- 
Regards,
Neil | Kai Kang

Re: [PATCH 5/5] iptables: update init script and bb file

[Kang Kai]

On 2014年06月23日 19:44, Anders Darander wrote:
> * Kai Kang <kai.kang@windriver.com> [140623 04:34]:
>> Update path of command iptables in init script that we put it in
>> /usr/sbin rather than /sbin. Then update bb file to install init script,
>> configure and rules files.
> These new files aren't that big, but could you anyway package at least
> the rules files into a separate package? Using an RRECOMMENDS would be
> fine, as I can easily add a BAD_RECOMMENDATION for that package.

Of course.

And as I replied in last main, do you think that an empty rule is 
better? A little concern is for iptables newbies.

>
> It might be that I don't need/want both of iptables and ip6tables
> installed; or even that I don't want either of those installed by
> default.

iptables and ip6tables are not split into separated packages, so I put 
them together. And package iptbales is not installed by default indeed.

Regards,
Kai

>
> Cheers,
> Anders
>
>> +do_install_append() {
>> +	install -d -m 755 ${D}${sysconfdir}/init.d
>> +	install -m 755 ${WORKDIR}/iptables.init ${D}${sysconfdir}/init.d/iptables
>> +	install -m 755 ${WORKDIR}/iptables.init ${D}${sysconfdir}/init.d/ip6tables
>> +	sed -i -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' ${D}${sysconfdir}/init.d/ip6tables
>> +
>> +	install -d -m 755 ${D}${sysconfdir}/sysconfig
>> +	install -m 755 ${WORKDIR}/iptables-config ${D}${sysconfdir}/sysconfig
>> +	install -m 755 ${WORKDIR}/iptables-config ${D}${sysconfdir}/sysconfig/ip6tables-config
>> +	sed -i -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' ${D}${sysconfdir}/sysconfig/ip6tables-config
>> +
>> +	install -m 755 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/sysconfig/iptables
>> +	install -m 755 ${WORKDIR}/ip6tables.rules ${D}${sysconfdir}/sysconfig/ip6tables
>> +}


-- 
Regards,
Neil | Kai Kang

Re: [PATCH 0/5] Update iptables runtime recommends and add default init scripts and configs

[Kang Kai]

On 2014年06月23日 18:44, Burton, Ross wrote:
>> Kai Kang (5):
>>    iptables: update RRECOMMENDS
>>    iptables: add init script and configure file
>>    iptables: update init script and bb file
> Squash these so there's a single commit that adds and integrates a
> working init script.

Though there is small change for init script, I still want to keep it 
that make clear which part is our modification.

I prefer to squash

iptables: update RRECOMMENDS
iptables: update init script and bb file

and keep
iptables: add init script and configure file




>
>>    iptables: add default rules
>>    iptables: update rules for ip6tables
> Ditto, squash these into a single commit.

I prefer to keep them too.

Regards,
Kai

>
> Ross
>
>


-- 
Regards,
Neil | Kai Kang

Re: [PATCH 5/5] iptables: update init script and bb file

[Anders Darander]

* Kang Kai <Kai.Kang@windriver.com> [140624 03:49]:

> On 2014年06月23日 19:44, Anders Darander wrote:
> > * Kai Kang <kai.kang@windriver.com> [140623 04:34]:
> >> Update path of command iptables in init script that we put it in
> >> /usr/sbin rather than /sbin. Then update bb file to install init script,
> >> configure and rules files.
> > These new files aren't that big, but could you anyway package at least
> > the rules files into a separate package? Using an RRECOMMENDS would be
> > fine, as I can easily add a BAD_RECOMMENDATION for that package.

> Of course.

> And as I replied in last main, do you think that an empty rule is 
> better? A little concern is for iptables newbies.

Well, I'd be at lest a little bit happier to have the ipv6 rules file
obey the ipv6 distro feature, see below.

Besides, most users of OE-Core won't have any benefit of a pre-generated
iptable rules file. Remember, we're building embedded devices that have
everything but a standard setup.

If you want a static firewall configuration supplied by oe-core, can't
we package it in a separate package anyway?

> > It might be that I don't need/want both of iptables and ip6tables
> > installed; or even that I don't want either of those installed by
> > default.

> iptables and ip6tables are not split into separated packages, so I put 
> them together. And package iptbales is not installed by default indeed.

No, but at least we're not building IPv6 support into the package if
ipv6 is not set in DISTRO_FEATURES. At the very least, the ip6tables
rule file should obey that DISTRO_FEATUR also.

Cheers,
Anders

-- 
Naeser's Law:
	You can make it foolproof, but you can't make it damnfoolproof.

Re: [PATCH 3/5] iptables: add default rules

[Anders Darander]

* Kang Kai <Kai.Kang@windriver.com> [140624 03:40]:

> On 2014年06月23日 18:42, Burton, Ross wrote:
> > On 23 June 2014 03:32, Kai Kang <kai.kang@windriver.com> wrote:
> > Also, is it sensible to ship a static firewall configuration?  The one
> > thing we're not is one-size-fits-all.

> I just want users could start iptables without any professional work. 
> And these static firewall rules are common for desktop/server.
> Or does the empty rule is better? 

If these rules are common for a desktop/server, do they make sense here?
Or should a simplified rule set be your example configuration in that
case?

Cheers,
Anders

-- 
Anders Darander
ChargeStorm AB / eStorm AB

Re: [PATCH 1/5] iptables: update RRECOMMENDS

[Anders Darander]

* Kai Kang <kai.kang@windriver.com> [140623 04:34]:

> @@ -15,7 +15,13 @@ RRECOMMENDS_${PN} = "kernel-module-x-tables \
>                       kernel-module-nf-conntrack \
>                       kernel-module-nf-conntrack-ipv4 \
>                       kernel-module-nf-nat \
> -                     kernel-module-ipt-masquerade"
> +                     kernel-module-ipt-masquerade \
> +                     kernel-module-xt-tcpudp \
> +                     kernel-module-xt-conntrack \
> +                     kernel-module-ipt-reject \
> +                     kernel-module-ip6-tables \
> +                     kernel-module-ip6table-filter \
> +                    "

As it's for RRECOMMENDS_${PN} your patch will likely work for everyong.
Though, you should really only add the ip6* kernel modules if ipv6 is in
DISTRO_FEATURES.

Cheers,
Anders

(And as a completely unrelated side note, I wonder if it isn't time to
start looking at adding an ipv4 DISTRO_FEATURE to make it easier to
build IPv6 only devices...)

-- 
Anders Darander
ChargeStorm AB / eStorm AB

Re: [PATCH 1/5] iptables: update RRECOMMENDS

[Kang Kai]

On 2014年06月24日 14:11, Anders Darander wrote:
> * Kai Kang <kai.kang@windriver.com> [140623 04:34]:
>
>> @@ -15,7 +15,13 @@ RRECOMMENDS_${PN} = "kernel-module-x-tables \
>>                        kernel-module-nf-conntrack \
>>                        kernel-module-nf-conntrack-ipv4 \
>>                        kernel-module-nf-nat \
>> -                     kernel-module-ipt-masquerade"
>> +                     kernel-module-ipt-masquerade \
>> +                     kernel-module-xt-tcpudp \
>> +                     kernel-module-xt-conntrack \
>> +                     kernel-module-ipt-reject \
>> +                     kernel-module-ip6-tables \
>> +                     kernel-module-ip6table-filter \
>> +                    "
> As it's for RRECOMMENDS_${PN} your patch will likely work for everyong.
> Though, you should really only add the ip6* kernel modules if ipv6 is in
> DISTRO_FEATURES.

OK.

Thanks,
Kai



>
> Cheers,
> Anders
>
> (And as a completely unrelated side note, I wonder if it isn't time to
> start looking at adding an ipv4 DISTRO_FEATURE to make it easier to
> build IPv6 only devices...)
>


-- 
Regards,
Neil | Kai Kang

Re: [PATCH 3/5] iptables: add default rules

[Kang Kai]

On 2014年06月24日 14:06, Anders Darander wrote:
> * Kang Kai <Kai.Kang@windriver.com> [140624 03:40]:
>
>> On 2014年06月23日 18:42, Burton, Ross wrote:
>>> On 23 June 2014 03:32, Kai Kang <kai.kang@windriver.com> wrote:
>>> Also, is it sensible to ship a static firewall configuration?  The one
>>> thing we're not is one-size-fits-all.
>> I just want users could start iptables without any professional work.
>> And these static firewall rules are common for desktop/server.
>> Or does the empty rule is better?
> If these rules are common for a desktop/server, do they make sense here?
> Or should a simplified rule set be your example configuration in that
> case?

I am thinking put a configure file there without any special rule that 
allows every input and output.
Users could update it with their rules.

Regards,
Kai



>
> Cheers,
> Anders
>


-- 
Regards,
Neil | Kai Kang

Re: [PATCH 5/5] iptables: update init script and bb file

[Kang Kai]

On 2014年06月24日 14:01, Anders Darander wrote:
> * Kang Kai <Kai.Kang@windriver.com> [140624 03:49]:
>
>> On 2014年06月23日 19:44, Anders Darander wrote:
>>> * Kai Kang <kai.kang@windriver.com> [140623 04:34]:
>>>> Update path of command iptables in init script that we put it in
>>>> /usr/sbin rather than /sbin. Then update bb file to install init script,
>>>> configure and rules files.
>>> These new files aren't that big, but could you anyway package at least
>>> the rules files into a separate package? Using an RRECOMMENDS would be
>>> fine, as I can easily add a BAD_RECOMMENDATION for that package.
>> Of course.
>> And as I replied in last main, do you think that an empty rule is
>> better? A little concern is for iptables newbies.
> Well, I'd be at lest a little bit happier to have the ipv6 rules file
> obey the ipv6 distro feature, see below.
>
> Besides, most users of OE-Core won't have any benefit of a pre-generated
> iptable rules file. Remember, we're building embedded devices that have
> everything but a standard setup.
>
> If you want a static firewall configuration supplied by oe-core, can't
> we package it in a separate package anyway?

OK.

>
>>> It might be that I don't need/want both of iptables and ip6tables
>>> installed; or even that I don't want either of those installed by
>>> default.
>> iptables and ip6tables are not split into separated packages, so I put
>> them together. And package iptbales is not installed by default indeed.
> No, but at least we're not building IPv6 support into the package if
> ipv6 is not set in DISTRO_FEATURES. At the very least, the ip6tables
> rule file should obey that DISTRO_FEATUR also.

I'll update to check DISTRO_FEATURES for ipv6 supports.

Regards,
Kai


>
> Cheers,
> Anders
>


-- 
Regards,
Neil | Kai Kang